Pub. 6 2017-2018 Issue 3

20 San Diego Dealer Cyber Crimes: Why You Should Be Very Afraid Y ouwant to balance your inventories. You have twentymore new vehicles than you need. Another dealer says hewants them. You do the deal, he picks up the vehicles, and you do not get paid. The dealer says he sent you a wire transfer for three-quarters of a million dollars, but you never received it. Your floorplan source is demanding the vehicles be paid off. What went wrong? If you are like one of two Midwest dealers involved in a recent lawsuit, you may be the unfortunate victim of a cybercrime. In a Midwest lawsuit, a dealer arranged through its inventory manager to sell twenty Ford Explorers to another Ford dealer. After the arrangements were made through email, and the vehicles were shipped, the buying dealer received emails about payment from a slightly different email address that began with a simple message: “Due to some tax related procedures, we will prefer a wire transfer, let me know when you need wiring instructions?” Unfortunately, those payment emails were sent by a Nigerian fraudster who hacked into and took up residence in the selling dealer’s computer system. He provided wire instructions to his account, the money was wired by the buyer to the real bank account set up by the fraudster, and then the account was immediately emptied. Both dealers were victims. However, the federal judge considering the case had to choose a winner and a loser, and he ruled that the buying dealer must pay the selling dealer $735,225.40, meaning the buying dealer has lost nearly three-quarters of a million dollars. This case has important lessons for all dealers. Motor vehicle dealers engage in large dollar transactions, and they are targets of hacking. The FBI has reported that from 2013-2016, known losses for a cyber crime called Business E-mail Compromise (BEC) totaled over $5 billionworldwide. The scam is carried out when a fraudster utilizes social engineering or hacking techniques to compromise business e-mail accounts and swindle unsuspecting employees into making fraudulent wire transfers. These criminals appear to indiscriminately target compa- nies—big or small—and use money mules to clean the account before anyone can discover what transpired. How does this scam work? The scam artist’s goal is to hack your e-mail account and either take control or use a spoof account to deceive your vendors, sellers, or employees into wiring funds to an account controlled by the criminal. To access an e-mail account, the criminal can utilize numerous techniques. • Man in theMiddle inwhich the fraudster intercepts communications, and steals credentials or other sensitive information; • Spoofing: in which the fraudster creates a fake, albeit similar, e-mail account to impersonate and fool victims; • Phishing: which involves the perpetrator sending an e-mail with a link to a recognizable—but fake—website, prompting the recipient to enter his or her credentials, or an attachment containing a malware program. If your e-mail is compromised through hacking, sophisticated con artists can lay dormant for weeks, evaluating the company’s vendors, accounting systems, employee communication styles and travel schedules. They end up looking like you, writing like you, and joking like you. They may impersonate the dealer and send employees “urgent” wire transfer requests or wait for a deal to develop and hijack the conversation to redirect payment. They may even inject themselves between you and your bank to intercept credentials and redirect, or create additional, wire transfers.